@originator-profile/sign 0.4.0-beta.1

package/README.md

@@ -0,0 +1,3 @@
+# Profile Sign
+
+鍵の生成と署名するためのパッケージです。

package/dist/index.cjs

@@ -0,0 +1,286 @@
+'use strict';
+
+var securingMechanism = require('@originator-profile/securing-mechanism');
+
+const supportedHashAlgorithms = {
+  /** SHA-256 hash algorithm */
+  sha256: "SHA-256",
+  /** SHA-384 hash algorithm */
+  sha384: "SHA-384",
+  /** SHA-512 hash algorithm */
+  sha512: "SHA-512"
+};
+const IntegrityMetadataRegex = /^(?<alg>sha256|sha384|sha512)-(?<val>(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)(?:[?](?<opt>[\x21-\x7e]*))?$/;
+class IntegrityMetadata {
+  /** Hash algorithm */
+  alg;
+  /** The base64-encoded hash value of the resource */
+  val;
+  /** Optional additional attributes */
+  opt;
+  /**
+   * Creates an instance of `IntegrityMetadata` from a given object or string.
+   * @param integrity The integrity metadata input, which can be a string or object.
+   * @example
+   * ```js
+   * new IntegrityMetadata("sha256-MV9b23bQeMQ7isAGTkoBZGErH853yGk0W/yUx1iU7dM=")
+   * ```
+   *
+   * or
+   *
+   * ```js
+   * new IntegrityMetadata({
+   *   alg: "sha256",
+   *   val: "MV9b23bQeMQ7isAGTkoBZGErH853yGk0W/yUx1iU7dM=",
+   * })
+   * ```
+   */
+  constructor(integrity) {
+    const integrityString = typeof integrity === "object" && integrity !== null ? IntegrityMetadata.stringify(integrity) : String(integrity ?? "").trim();
+    const {
+      alg = "",
+      val = "",
+      opt
+    } = IntegrityMetadataRegex.exec(integrityString)?.groups ?? {};
+    Object.assign(this, {
+      alg,
+      val,
+      opt: opt?.split("?") ?? []
+    });
+  }
+  /**
+   * Compares the current integrity metadata with another object or string.
+   * @param integrity The integrity metadata to compare with.
+   * @returns `true` if the integrity metadata matches, `false` otherwise.
+   * @example
+   * ```js
+   * integrityMetadata.match("sha256-MV9b23bQeMQ7isAGTkoBZGErH853yGk0W/yUx1iU7dM=")
+   * ```
+   *
+   * or
+   *
+   * ```js
+   * integrityMetadata.match({
+   *   alg: "sha256",
+   *   val: "MV9b23bQeMQ7isAGTkoBZGErH853yGk0W/yUx1iU7dM=",
+   * })
+   * ```
+   */
+  match(integrity) {
+    const { alg, val } = new IntegrityMetadata(integrity);
+    if (!alg) return false;
+    if (!val) return false;
+    if (!(alg in supportedHashAlgorithms)) return false;
+    return alg === this.alg && val === this.val;
+  }
+  /**
+   * Converts the integrity metadata into a string representation.
+   * @returns The string representation of the integrity metadata.
+   */
+  toString() {
+    return IntegrityMetadata.stringify(this);
+  }
+  /**
+   * Converts the integrity metadata into a JSON string.
+   * @returns The JSON string representation of the integrity metadata.
+   */
+  toJSON() {
+    return this.toString();
+  }
+  /**
+   * Static method to stringify an integrity metadata object.
+   * @param integrity The integrity metadata object to stringify.
+   * @returns The stringified integrity metadata.
+   * @example
+   * ```js
+   * IntegrityMetadata.stringify({
+   *   alg: "sha256",
+   *   val: "MV9b23bQeMQ7isAGTkoBZGErH853yGk0W/yUx1iU7dM=",
+   * }) // "sha256-MV9b23bQeMQ7isAGTkoBZGErH853yGk0W/yUx1iU7dM="
+   * ```
+   */
+  static stringify({ alg, val, opt = [] }) {
+    if (!alg) return "";
+    if (!val) return "";
+    if (!(alg in supportedHashAlgorithms)) return "";
+    return `${alg}-${[val, ...opt].join("?")}`;
+  }
+}
+async function createIntegrityMetadata(hashAlgorithm, data, opt = []) {
+  const alg = hashAlgorithm.toLowerCase();
+  if (!(alg in supportedHashAlgorithms)) {
+    return new IntegrityMetadata("");
+  }
+  const hashAlgorithmIdentifier = supportedHashAlgorithms[alg];
+  const arrayBuffer = await crypto.subtle.digest(hashAlgorithmIdentifier, data);
+  const val = btoa(String.fromCharCode(...new Uint8Array(arrayBuffer)));
+  const integrity = IntegrityMetadata.stringify({ alg, val, opt });
+  return new IntegrityMetadata(integrity);
+}
+
+async function createDigestSri(alg, resource, fetcher = fetch) {
+  if (!(alg in supportedHashAlgorithms)) {
+    return { id: resource.id };
+  }
+  const meta = await Promise.all(
+    [resource.content ?? resource.id].flat().map(async (content) => {
+      const res = await fetcher(content);
+      const data = await res.arrayBuffer();
+      return await createIntegrityMetadata(alg, data);
+    })
+  );
+  return {
+    id: resource.id,
+    digestSRI: meta.join(" ")
+  };
+}
+
+async function fetchAndSetDigestSri(alg, content) {
+  if (!content) return content;
+  if (typeof content.digestSRI !== "string") {
+    Object.assign(
+      content,
+      await createDigestSri(alg, content)
+    );
+  }
+  delete content.content;
+  return content;
+}
+
+const fetchHtmlContent = async (elements) => {
+  const text = elements.map((element) => element.outerHTML).join("");
+  return [new Response(text)];
+};
+const fetchTextContent = async (elements) => {
+  const text = elements.map((element) => element.textContent ?? "").join("");
+  return [new Response(text)];
+};
+const fetchVisibleTextContent = async (elements) => {
+  const text = elements.map((element) => element.innerText).join("");
+  return [new Response(text)];
+};
+const fetchExternalResource = async (elements, fetcher = fetch) => {
+  return await Promise.all(
+    elements.map(async (element) => {
+      const el = element;
+      const src = el.currentSrc || el.src;
+      if (!src) {
+        throw new Error("Element has no src or currentSrc property");
+      }
+      return await fetcher(src);
+    })
+  );
+};
+const selectByCss = (params) => {
+  return Array.from(
+    params.document.querySelectorAll(params.cssSelector)
+  );
+};
+const selectByIntegrity = (params) => {
+  return selectByCss({
+    ...params,
+    cssSelector: `[integrity=${JSON.stringify(String(params.integrity))}]`
+  });
+};
+async function createIntegrity(alg, { content = "", ...target }, doc = document) {
+  if (![
+    "TextTargetIntegrity",
+    "VisibleTextTargetIntegrity",
+    "HtmlTargetIntegrity",
+    "ExternalResourceTargetIntegrity"
+  ].includes(target.type)) {
+    return null;
+  }
+  if (!(alg in supportedHashAlgorithms)) {
+    return null;
+  }
+  if (target.type === "ExternalResourceTargetIntegrity") {
+    const meta2 = await Promise.all(
+      [content].flat().map(async (content2) => {
+        const res2 = URL.canParse(content2) ? await fetch(content2) : new Response(content2);
+        const data2 = await res2.arrayBuffer();
+        return await createIntegrityMetadata(alg, data2);
+      })
+    );
+    return {
+      ...target,
+      integrity: meta2.join(" ")
+    };
+  }
+  const { contentFetcher, elementSelector } = {
+    HtmlTargetIntegrity: {
+      contentFetcher: fetchHtmlContent,
+      elementSelector: selectByCss
+    },
+    TextTargetIntegrity: {
+      contentFetcher: fetchTextContent,
+      elementSelector: selectByCss
+    },
+    VisibleTextTargetIntegrity: {
+      contentFetcher: fetchVisibleTextContent,
+      elementSelector: selectByCss
+    }
+  }[target.type];
+  const elements = elementSelector({ ...target, document: doc });
+  if (elements.length === 0) return null;
+  const [res] = await contentFetcher(elements);
+  if (!res) return null;
+  const data = await res.arrayBuffer();
+  const meta = await createIntegrityMetadata(alg, data);
+  return {
+    ...target,
+    integrity: meta.toString()
+  };
+}
+
+class IntegrityCalculationError extends Error {
+}
+async function fetchAndSetTargetIntegrity(alg, obj, documentProvider = async () => document) {
+  const target = await Promise.all(
+    obj.target.map(async (raw, i) => {
+      if (raw.integrity) {
+        const { content: _, ...target3 } = raw;
+        return target3;
+      }
+      const doc = await documentProvider(raw);
+      const target2 = await createIntegrity(alg, raw, doc);
+      if (!target2) {
+        throw new IntegrityCalculationError(
+          `Failed to create integrity for element target[${i}].`
+        );
+      }
+      return target2;
+    })
+  );
+  return Object.assign(obj, { target });
+}
+
+async function signCa(uca, privateKey, {
+  alg = "ES256",
+  issuedAt = /* @__PURE__ */ new Date(),
+  expiredAt,
+  integrityAlg = "sha256",
+  documentProvider = async () => document
+}) {
+  await fetchAndSetDigestSri(integrityAlg, uca.credentialSubject.image);
+  await fetchAndSetTargetIntegrity(integrityAlg, uca, documentProvider);
+  return await securingMechanism.signJwtVc(uca, privateKey, { alg, issuedAt, expiredAt });
+}
+
+async function signCp(cp, privateKey, options) {
+  return securingMechanism.signJwtVc(cp, privateKey, options);
+}
+
+exports.IntegrityCalculationError = IntegrityCalculationError;
+exports.createDigestSri = createDigestSri;
+exports.createIntegrity = createIntegrity;
+exports.fetchAndSetDigestSri = fetchAndSetDigestSri;
+exports.fetchAndSetTargetIntegrity = fetchAndSetTargetIntegrity;
+exports.fetchExternalResource = fetchExternalResource;
+exports.fetchHtmlContent = fetchHtmlContent;
+exports.fetchTextContent = fetchTextContent;
+exports.fetchVisibleTextContent = fetchVisibleTextContent;
+exports.selectByCss = selectByCss;
+exports.selectByIntegrity = selectByIntegrity;
+exports.signCa = signCa;
+exports.signCp = signCp;

package/dist/index.d.cts

@@ -0,0 +1,199 @@
+import { Image, RawTarget, Target, UnsignedContentAttestation, Jwk, CoreProfile } from '@originator-profile/model';
+
+/**
+ * Represents the available hash algorithms used for Subresource Integrity.
+ * @see {@link https://www.w3.org/TR/CSP2/#hash_algo}
+ */
+type HashAlgorithm = "sha256" | "sha384" | "sha512";
+
+type DigestSriContent = Image;
+type ContentFetcher = (elements: ReadonlyArray<HTMLElement>, fetcher?: typeof fetch) => Promise<ReadonlyArray<Response>>;
+type ElementSelector = (params: {
+    cssSelector?: string;
+    integrity?: string;
+    document: Document;
+}) => ReadonlyArray<HTMLElement>;
+/** 文脈に応じて Document を提供する関数 */
+type DocumentProvider = (raw: RawTarget) => Promise<Document>;
+
+/**
+ * `digestSRI` の作成
+ *
+ * `content` にアクセスし `digestSRI` を計算します。
+ * なお、`content` プロパティは削除されます。
+ * `content` プロパティが存在しない場合、`id` にアクセスし `digestSRI` 計算します。
+ *
+ * 複数のコンテンツが指定された場合、それぞれのハッシュ値がスペース区切りで結合されます。
+ *
+ * @see {@link https://www.w3.org/TR/SRI/#the-integrity-attribute}
+ * @example
+ * 単一コンテンツ
+ * ```ts
+ * const resource = {
+ *   id: "<URL>",
+ *   content: "<コンテンツ (URL)>", // 省略可能
+ * };
+ *
+ * const { digestSRI } = await createDigestSri("sha256", resource);
+ * console.log(digestSRI); // sha256-...
+ * ```
+ *
+ * @example
+ * 複数コンテンツ
+ * ```ts
+ * const resource = {
+ *   id: "<URL>",
+ *   content: ["<コンテンツURL1>", "<コンテンツURL2>"],
+ * };
+ *
+ * const { digestSRI } = await createDigestSri("sha256", resource);
+ * console.log(digestSRI); // sha256-... sha256-...
+ * ```
+ */
+declare function createDigestSri(alg: HashAlgorithm, resource: {
+    /** URL */
+    id: string;
+    /** コンテンツ (URL) */
+    content?: Array<string> | string;
+}, fetcher?: typeof fetch): Promise<DigestSriContent>;
+
+/**
+ * オブジェクトへの `digestSRI` の割り当て
+ *
+ * `digestSRI` を省略した場合、`content` にアクセスし `digestSRI` を計算します。
+ * なお、`content` プロパティは削除されます。
+ * `content` プロパティが存在しない場合、`id` にアクセスし `digestSRI` 計算します。
+ * @see {@link https://www.w3.org/TR/SRI/#the-integrity-attribute}
+ * @example
+ * ```ts
+ * const resource = {
+ *   id: "<URL>",
+ *   content: "<コンテンツ (URL)>", // 省略可能
+ * };
+ *
+ * await fetchAndSetDigestSri("sha256", resource);
+ *
+ * console.log(resource);
+ * // {
+ * //   id: "<URL>",
+ * //   digestSRI: "sha256-..."
+ * // }
+ * ```
+ */
+declare function fetchAndSetDigestSri(alg: HashAlgorithm, content: unknown): Promise<DigestSriContent | undefined>;
+
+/** Integrityの計算に失敗 (例: 検証対象が存在しない) エラー */
+declare class IntegrityCalculationError extends Error {
+}
+/**
+ * 未署名 Content Attestation への Target Integrity の割り当て
+ * target[].integrity を省略した場合、type に準じて content から integrity を計算します。
+ * 一方、target[].integrity が含まれる場合、その値をそのまま使用します。
+ * なお、いずれも target[].content プロパティが削除される点にご注意ください。
+ * @see {@link https://docs.originator-profile.org/opb/content-integrity-descriptor/}
+ * @throws {IntegrityCalculationError} Integrityの計算に失敗 (例: 検証対象が存在しない)
+ * @example
+ * ```ts
+ * const uca = {
+ *   // ...
+ *   target: [
+ *     {
+ *       type: "<Target Integrityの種別>",
+ *       cssSelector: "<CSS セレクター>",
+ *     },
+ *   ],
+ * };
+ *
+ * await fetchAndSetTargetIntegrity("sha256", uca);
+ *
+ * console.log(uca.target);
+ * // [
+ * //   {
+ * //     type: "<Target Integrityの種別>",
+ * //     cssSelector: "<CSS セレクター>",
+ * //     integrity: "sha256-..."
+ * //   }
+ * // ]
+ * ```
+ */
+declare function fetchAndSetTargetIntegrity<T extends {
+    target: ReadonlyArray<RawTarget>;
+}>(alg: HashAlgorithm, obj: T, documentProvider?: DocumentProvider): Promise<T & {
+    target: ReadonlyArray<Target>;
+}>;
+
+/** element.outerHTML and join("") */
+declare const fetchHtmlContent: ContentFetcher;
+/** element.textContent and join("") */
+declare const fetchTextContent: ContentFetcher;
+/** element.innerText and join("") */
+declare const fetchVisibleTextContent: ContentFetcher;
+/**
+ * Fetches external resources from elements by using their `currentSrc` or `src` property.
+ * HTMLImageElement (<img>) and HTMLMediaElement (<video>, <audio>) support the `currentSrc` property,
+ * which represents the actual source URL currently in use after source selection (e.g., <img srcset>, <video> with multiple <source>).
+ * `currentSrc` is preferred over `src` because it reflects the final selected resource, ensuring integrity checks are performed on the actual loaded content.
+ * Falls back to `src` if `currentSrc` is not available.
+ */
+declare const fetchExternalResource: ContentFetcher;
+declare const selectByCss: ElementSelector;
+declare const selectByIntegrity: ElementSelector;
+/**
+ * Target Integrity の作成
+ *
+ * `ExternalResourceTargetIntegrity` で複数のコンテンツが指定された場合、それぞれのハッシュ値がスペース区切りで結合されます。
+ *
+ * @see {@link https://docs.originator-profile.org/opb/content-integrity-descriptor/}
+ * @example
+ * 基本的な使用例
+ * ```ts
+ * const content = {
+ *   type: "HtmlTargetIntegrity", // or ***TargetIntegrity
+ *   cssSelector: "<CSS セレクター>",
+ * };
+ *
+ * const { integrity } = await createIntegrity("sha256", content);
+ * console.log(integrity); // sha256-...
+ * ```
+ *
+ * @example
+ * ExternalResourceTargetIntegrity で複数コンテンツ
+ * ```ts
+ * const content = {
+ *   type: "ExternalResourceTargetIntegrity",
+ *   content: ["<コンテンツURL1>", "<コンテンツURL2>"],
+ * };
+ *
+ * const { integrity } = await createIntegrity("sha256", content);
+ * console.log(integrity); // sha256-... sha256-...
+ * ```
+ */
+declare function createIntegrity(alg: HashAlgorithm, { content, ...target }: RawTarget, doc?: Document): Promise<Target | null>;
+
+/**
+ * Content Attestation への署名
+ * @param uca 未署名 Content Attestation オブジェクト
+ * @param privateKey プライベート鍵
+ * @return JWT でエンコードされた Content Attestation
+ */
+declare function signCa(uca: UnsignedContentAttestation, privateKey: Jwk, { alg, issuedAt, expiredAt, integrityAlg, documentProvider, }: {
+    alg?: string;
+    issuedAt?: Date;
+    expiredAt: Date;
+    integrityAlg?: HashAlgorithm;
+    documentProvider?: DocumentProvider;
+}): Promise<string>;
+
+/**
+ * CP への署名
+ * @param cp CoreProfile オブジェクト
+ * @param privateKey プライベート鍵
+ * @return JWT でエンコードされた CP
+ */
+declare function signCp(cp: CoreProfile, privateKey: Jwk, options: {
+    alg?: string;
+    issuedAt: Date;
+    expiredAt: Date;
+}): Promise<string>;
+
+export { type ContentFetcher, type DigestSriContent, type DocumentProvider, type ElementSelector, IntegrityCalculationError, createDigestSri, createIntegrity, fetchAndSetDigestSri, fetchAndSetTargetIntegrity, fetchExternalResource, fetchHtmlContent, fetchTextContent, fetchVisibleTextContent, selectByCss, selectByIntegrity, signCa, signCp };

package/dist/index.d.mts

@@ -0,0 +1,199 @@
+import { Image, RawTarget, Target, UnsignedContentAttestation, Jwk, CoreProfile } from '@originator-profile/model';
+
+/**
+ * Represents the available hash algorithms used for Subresource Integrity.
+ * @see {@link https://www.w3.org/TR/CSP2/#hash_algo}
+ */
+type HashAlgorithm = "sha256" | "sha384" | "sha512";
+
+type DigestSriContent = Image;
+type ContentFetcher = (elements: ReadonlyArray<HTMLElement>, fetcher?: typeof fetch) => Promise<ReadonlyArray<Response>>;
+type ElementSelector = (params: {
+    cssSelector?: string;
+    integrity?: string;
+    document: Document;
+}) => ReadonlyArray<HTMLElement>;
+/** 文脈に応じて Document を提供する関数 */
+type DocumentProvider = (raw: RawTarget) => Promise<Document>;
+
+/**
+ * `digestSRI` の作成
+ *
+ * `content` にアクセスし `digestSRI` を計算します。
+ * なお、`content` プロパティは削除されます。
+ * `content` プロパティが存在しない場合、`id` にアクセスし `digestSRI` 計算します。
+ *
+ * 複数のコンテンツが指定された場合、それぞれのハッシュ値がスペース区切りで結合されます。
+ *
+ * @see {@link https://www.w3.org/TR/SRI/#the-integrity-attribute}
+ * @example
+ * 単一コンテンツ
+ * ```ts
+ * const resource = {
+ *   id: "<URL>",
+ *   content: "<コンテンツ (URL)>", // 省略可能
+ * };
+ *
+ * const { digestSRI } = await createDigestSri("sha256", resource);
+ * console.log(digestSRI); // sha256-...
+ * ```
+ *
+ * @example
+ * 複数コンテンツ
+ * ```ts
+ * const resource = {
+ *   id: "<URL>",
+ *   content: ["<コンテンツURL1>", "<コンテンツURL2>"],
+ * };
+ *
+ * const { digestSRI } = await createDigestSri("sha256", resource);
+ * console.log(digestSRI); // sha256-... sha256-...
+ * ```
+ */
+declare function createDigestSri(alg: HashAlgorithm, resource: {
+    /** URL */
+    id: string;
+    /** コンテンツ (URL) */
+    content?: Array<string> | string;
+}, fetcher?: typeof fetch): Promise<DigestSriContent>;
+
+/**
+ * オブジェクトへの `digestSRI` の割り当て
+ *
+ * `digestSRI` を省略した場合、`content` にアクセスし `digestSRI` を計算します。
+ * なお、`content` プロパティは削除されます。
+ * `content` プロパティが存在しない場合、`id` にアクセスし `digestSRI` 計算します。
+ * @see {@link https://www.w3.org/TR/SRI/#the-integrity-attribute}
+ * @example
+ * ```ts
+ * const resource = {
+ *   id: "<URL>",
+ *   content: "<コンテンツ (URL)>", // 省略可能
+ * };
+ *
+ * await fetchAndSetDigestSri("sha256", resource);
+ *
+ * console.log(resource);
+ * // {
+ * //   id: "<URL>",
+ * //   digestSRI: "sha256-..."
+ * // }
+ * ```
+ */
+declare function fetchAndSetDigestSri(alg: HashAlgorithm, content: unknown): Promise<DigestSriContent | undefined>;
+
+/** Integrityの計算に失敗 (例: 検証対象が存在しない) エラー */
+declare class IntegrityCalculationError extends Error {
+}
+/**
+ * 未署名 Content Attestation への Target Integrity の割り当て
+ * target[].integrity を省略した場合、type に準じて content から integrity を計算します。
+ * 一方、target[].integrity が含まれる場合、その値をそのまま使用します。
+ * なお、いずれも target[].content プロパティが削除される点にご注意ください。
+ * @see {@link https://docs.originator-profile.org/opb/content-integrity-descriptor/}
+ * @throws {IntegrityCalculationError} Integrityの計算に失敗 (例: 検証対象が存在しない)
+ * @example
+ * ```ts
+ * const uca = {
+ *   // ...
+ *   target: [
+ *     {
+ *       type: "<Target Integrityの種別>",
+ *       cssSelector: "<CSS セレクター>",
+ *     },
+ *   ],
+ * };
+ *
+ * await fetchAndSetTargetIntegrity("sha256", uca);
+ *
+ * console.log(uca.target);
+ * // [
+ * //   {
+ * //     type: "<Target Integrityの種別>",
+ * //     cssSelector: "<CSS セレクター>",
+ * //     integrity: "sha256-..."
+ * //   }
+ * // ]
+ * ```
+ */
+declare function fetchAndSetTargetIntegrity<T extends {
+    target: ReadonlyArray<RawTarget>;
+}>(alg: HashAlgorithm, obj: T, documentProvider?: DocumentProvider): Promise<T & {
+    target: ReadonlyArray<Target>;
+}>;
+
+/** element.outerHTML and join("") */
+declare const fetchHtmlContent: ContentFetcher;
+/** element.textContent and join("") */
+declare const fetchTextContent: ContentFetcher;
+/** element.innerText and join("") */
+declare const fetchVisibleTextContent: ContentFetcher;
+/**
+ * Fetches external resources from elements by using their `currentSrc` or `src` property.
+ * HTMLImageElement (<img>) and HTMLMediaElement (<video>, <audio>) support the `currentSrc` property,
+ * which represents the actual source URL currently in use after source selection (e.g., <img srcset>, <video> with multiple <source>).
+ * `currentSrc` is preferred over `src` because it reflects the final selected resource, ensuring integrity checks are performed on the actual loaded content.
+ * Falls back to `src` if `currentSrc` is not available.
+ */
+declare const fetchExternalResource: ContentFetcher;
+declare const selectByCss: ElementSelector;
+declare const selectByIntegrity: ElementSelector;
+/**
+ * Target Integrity の作成
+ *
+ * `ExternalResourceTargetIntegrity` で複数のコンテンツが指定された場合、それぞれのハッシュ値がスペース区切りで結合されます。
+ *
+ * @see {@link https://docs.originator-profile.org/opb/content-integrity-descriptor/}
+ * @example
+ * 基本的な使用例
+ * ```ts
+ * const content = {
+ *   type: "HtmlTargetIntegrity", // or ***TargetIntegrity
+ *   cssSelector: "<CSS セレクター>",
+ * };
+ *
+ * const { integrity } = await createIntegrity("sha256", content);
+ * console.log(integrity); // sha256-...
+ * ```
+ *
+ * @example
+ * ExternalResourceTargetIntegrity で複数コンテンツ
+ * ```ts
+ * const content = {
+ *   type: "ExternalResourceTargetIntegrity",
+ *   content: ["<コンテンツURL1>", "<コンテンツURL2>"],
+ * };
+ *
+ * const { integrity } = await createIntegrity("sha256", content);
+ * console.log(integrity); // sha256-... sha256-...
+ * ```
+ */
+declare function createIntegrity(alg: HashAlgorithm, { content, ...target }: RawTarget, doc?: Document): Promise<Target | null>;
+
+/**
+ * Content Attestation への署名
+ * @param uca 未署名 Content Attestation オブジェクト
+ * @param privateKey プライベート鍵
+ * @return JWT でエンコードされた Content Attestation
+ */
+declare function signCa(uca: UnsignedContentAttestation, privateKey: Jwk, { alg, issuedAt, expiredAt, integrityAlg, documentProvider, }: {
+    alg?: string;
+    issuedAt?: Date;
+    expiredAt: Date;
+    integrityAlg?: HashAlgorithm;
+    documentProvider?: DocumentProvider;
+}): Promise<string>;
+
+/**
+ * CP への署名
+ * @param cp CoreProfile オブジェクト
+ * @param privateKey プライベート鍵
+ * @return JWT でエンコードされた CP
+ */
+declare function signCp(cp: CoreProfile, privateKey: Jwk, options: {
+    alg?: string;
+    issuedAt: Date;
+    expiredAt: Date;
+}): Promise<string>;
+
+export { type ContentFetcher, type DigestSriContent, type DocumentProvider, type ElementSelector, IntegrityCalculationError, createDigestSri, createIntegrity, fetchAndSetDigestSri, fetchAndSetTargetIntegrity, fetchExternalResource, fetchHtmlContent, fetchTextContent, fetchVisibleTextContent, selectByCss, selectByIntegrity, signCa, signCp };

package/dist/index.mjs

@@ -0,0 +1,272 @@
+import { signJwtVc } from '@originator-profile/securing-mechanism';
+
+const supportedHashAlgorithms = {
+  /** SHA-256 hash algorithm */
+  sha256: "SHA-256",
+  /** SHA-384 hash algorithm */
+  sha384: "SHA-384",
+  /** SHA-512 hash algorithm */
+  sha512: "SHA-512"
+};
+const IntegrityMetadataRegex = /^(?<alg>sha256|sha384|sha512)-(?<val>(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)(?:[?](?<opt>[\x21-\x7e]*))?$/;
+class IntegrityMetadata {
+  /** Hash algorithm */
+  alg;
+  /** The base64-encoded hash value of the resource */
+  val;
+  /** Optional additional attributes */
+  opt;
+  /**
+   * Creates an instance of `IntegrityMetadata` from a given object or string.
+   * @param integrity The integrity metadata input, which can be a string or object.
+   * @example
+   * ```js
+   * new IntegrityMetadata("sha256-MV9b23bQeMQ7isAGTkoBZGErH853yGk0W/yUx1iU7dM=")
+   * ```
+   *
+   * or
+   *
+   * ```js
+   * new IntegrityMetadata({
+   *   alg: "sha256",
+   *   val: "MV9b23bQeMQ7isAGTkoBZGErH853yGk0W/yUx1iU7dM=",
+   * })
+   * ```
+   */
+  constructor(integrity) {
+    const integrityString = typeof integrity === "object" && integrity !== null ? IntegrityMetadata.stringify(integrity) : String(integrity ?? "").trim();
+    const {
+      alg = "",
+      val = "",
+      opt
+    } = IntegrityMetadataRegex.exec(integrityString)?.groups ?? {};
+    Object.assign(this, {
+      alg,
+      val,
+      opt: opt?.split("?") ?? []
+    });
+  }
+  /**
+   * Compares the current integrity metadata with another object or string.
+   * @param integrity The integrity metadata to compare with.
+   * @returns `true` if the integrity metadata matches, `false` otherwise.
+   * @example
+   * ```js
+   * integrityMetadata.match("sha256-MV9b23bQeMQ7isAGTkoBZGErH853yGk0W/yUx1iU7dM=")
+   * ```
+   *
+   * or
+   *
+   * ```js
+   * integrityMetadata.match({
+   *   alg: "sha256",
+   *   val: "MV9b23bQeMQ7isAGTkoBZGErH853yGk0W/yUx1iU7dM=",
+   * })
+   * ```
+   */
+  match(integrity) {
+    const { alg, val } = new IntegrityMetadata(integrity);
+    if (!alg) return false;
+    if (!val) return false;
+    if (!(alg in supportedHashAlgorithms)) return false;
+    return alg === this.alg && val === this.val;
+  }
+  /**
+   * Converts the integrity metadata into a string representation.
+   * @returns The string representation of the integrity metadata.
+   */
+  toString() {
+    return IntegrityMetadata.stringify(this);
+  }
+  /**
+   * Converts the integrity metadata into a JSON string.
+   * @returns The JSON string representation of the integrity metadata.
+   */
+  toJSON() {
+    return this.toString();
+  }
+  /**
+   * Static method to stringify an integrity metadata object.
+   * @param integrity The integrity metadata object to stringify.
+   * @returns The stringified integrity metadata.
+   * @example
+   * ```js
+   * IntegrityMetadata.stringify({
+   *   alg: "sha256",
+   *   val: "MV9b23bQeMQ7isAGTkoBZGErH853yGk0W/yUx1iU7dM=",
+   * }) // "sha256-MV9b23bQeMQ7isAGTkoBZGErH853yGk0W/yUx1iU7dM="
+   * ```
+   */
+  static stringify({ alg, val, opt = [] }) {
+    if (!alg) return "";
+    if (!val) return "";
+    if (!(alg in supportedHashAlgorithms)) return "";
+    return `${alg}-${[val, ...opt].join("?")}`;
+  }
+}
+async function createIntegrityMetadata(hashAlgorithm, data, opt = []) {
+  const alg = hashAlgorithm.toLowerCase();
+  if (!(alg in supportedHashAlgorithms)) {
+    return new IntegrityMetadata("");
+  }
+  const hashAlgorithmIdentifier = supportedHashAlgorithms[alg];
+  const arrayBuffer = await crypto.subtle.digest(hashAlgorithmIdentifier, data);
+  const val = btoa(String.fromCharCode(...new Uint8Array(arrayBuffer)));
+  const integrity = IntegrityMetadata.stringify({ alg, val, opt });
+  return new IntegrityMetadata(integrity);
+}
+
+async function createDigestSri(alg, resource, fetcher = fetch) {
+  if (!(alg in supportedHashAlgorithms)) {
+    return { id: resource.id };
+  }
+  const meta = await Promise.all(
+    [resource.content ?? resource.id].flat().map(async (content) => {
+      const res = await fetcher(content);
+      const data = await res.arrayBuffer();
+      return await createIntegrityMetadata(alg, data);
+    })
+  );
+  return {
+    id: resource.id,
+    digestSRI: meta.join(" ")
+  };
+}
+
+async function fetchAndSetDigestSri(alg, content) {
+  if (!content) return content;
+  if (typeof content.digestSRI !== "string") {
+    Object.assign(
+      content,
+      await createDigestSri(alg, content)
+    );
+  }
+  delete content.content;
+  return content;
+}
+
+const fetchHtmlContent = async (elements) => {
+  const text = elements.map((element) => element.outerHTML).join("");
+  return [new Response(text)];
+};
+const fetchTextContent = async (elements) => {
+  const text = elements.map((element) => element.textContent ?? "").join("");
+  return [new Response(text)];
+};
+const fetchVisibleTextContent = async (elements) => {
+  const text = elements.map((element) => element.innerText).join("");
+  return [new Response(text)];
+};
+const fetchExternalResource = async (elements, fetcher = fetch) => {
+  return await Promise.all(
+    elements.map(async (element) => {
+      const el = element;
+      const src = el.currentSrc || el.src;
+      if (!src) {
+        throw new Error("Element has no src or currentSrc property");
+      }
+      return await fetcher(src);
+    })
+  );
+};
+const selectByCss = (params) => {
+  return Array.from(
+    params.document.querySelectorAll(params.cssSelector)
+  );
+};
+const selectByIntegrity = (params) => {
+  return selectByCss({
+    ...params,
+    cssSelector: `[integrity=${JSON.stringify(String(params.integrity))}]`
+  });
+};
+async function createIntegrity(alg, { content = "", ...target }, doc = document) {
+  if (![
+    "TextTargetIntegrity",
+    "VisibleTextTargetIntegrity",
+    "HtmlTargetIntegrity",
+    "ExternalResourceTargetIntegrity"
+  ].includes(target.type)) {
+    return null;
+  }
+  if (!(alg in supportedHashAlgorithms)) {
+    return null;
+  }
+  if (target.type === "ExternalResourceTargetIntegrity") {
+    const meta2 = await Promise.all(
+      [content].flat().map(async (content2) => {
+        const res2 = URL.canParse(content2) ? await fetch(content2) : new Response(content2);
+        const data2 = await res2.arrayBuffer();
+        return await createIntegrityMetadata(alg, data2);
+      })
+    );
+    return {
+      ...target,
+      integrity: meta2.join(" ")
+    };
+  }
+  const { contentFetcher, elementSelector } = {
+    HtmlTargetIntegrity: {
+      contentFetcher: fetchHtmlContent,
+      elementSelector: selectByCss
+    },
+    TextTargetIntegrity: {
+      contentFetcher: fetchTextContent,
+      elementSelector: selectByCss
+    },
+    VisibleTextTargetIntegrity: {
+      contentFetcher: fetchVisibleTextContent,
+      elementSelector: selectByCss
+    }
+  }[target.type];
+  const elements = elementSelector({ ...target, document: doc });
+  if (elements.length === 0) return null;
+  const [res] = await contentFetcher(elements);
+  if (!res) return null;
+  const data = await res.arrayBuffer();
+  const meta = await createIntegrityMetadata(alg, data);
+  return {
+    ...target,
+    integrity: meta.toString()
+  };
+}
+
+class IntegrityCalculationError extends Error {
+}
+async function fetchAndSetTargetIntegrity(alg, obj, documentProvider = async () => document) {
+  const target = await Promise.all(
+    obj.target.map(async (raw, i) => {
+      if (raw.integrity) {
+        const { content: _, ...target3 } = raw;
+        return target3;
+      }
+      const doc = await documentProvider(raw);
+      const target2 = await createIntegrity(alg, raw, doc);
+      if (!target2) {
+        throw new IntegrityCalculationError(
+          `Failed to create integrity for element target[${i}].`
+        );
+      }
+      return target2;
+    })
+  );
+  return Object.assign(obj, { target });
+}
+
+async function signCa(uca, privateKey, {
+  alg = "ES256",
+  issuedAt = /* @__PURE__ */ new Date(),
+  expiredAt,
+  integrityAlg = "sha256",
+  documentProvider = async () => document
+}) {
+  await fetchAndSetDigestSri(integrityAlg, uca.credentialSubject.image);
+  await fetchAndSetTargetIntegrity(integrityAlg, uca, documentProvider);
+  return await signJwtVc(uca, privateKey, { alg, issuedAt, expiredAt });
+}
+
+async function signCp(cp, privateKey, options) {
+  return signJwtVc(cp, privateKey, options);
+}
+
+export { IntegrityCalculationError, createDigestSri, createIntegrity, fetchAndSetDigestSri, fetchAndSetTargetIntegrity, fetchExternalResource, fetchHtmlContent, fetchTextContent, fetchVisibleTextContent, selectByCss, selectByIntegrity, signCa, signCp };

package/package.json

@@ -0,0 +1,41 @@
+{
+  "name": "@originator-profile/sign",
+  "version": "0.4.0-beta.1",
+  "private": false,
+  "type": "module",
+  "exports": {
+    "require": {
+      "types": "./dist/index.d.cts",
+      "default": "./dist/index.cjs"
+    },
+    "import": {
+      "types": "./dist/index.d.mts",
+      "default": "./dist/index.mjs"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "dependencies": {
+    "jose": "^6.0.10",
+    "@originator-profile/cryptography": "0.4.0-beta.1",
+    "@originator-profile/securing-mechanism": "0.4.0-beta.1",
+    "@originator-profile/model": "0.4.0-beta.1"
+  },
+  "devDependencies": {
+    "date-fns": "^4.1.0",
+    "eslint": "^9.25.1",
+    "pkgroll": "^2.12.2",
+    "typescript": "^5.8.3",
+    "vitest": "^4.0.0",
+    "websri": "^1.0.1",
+    "@originator-profile/tsconfig": "0.4.0-beta.1",
+    "eslint-config-originator-profile": "0.4.0-beta.1"
+  },
+  "scripts": {
+    "build": "pkgroll --clean-dist --target=node20",
+    "test": "vitest run",
+    "lint": "eslint --fix .",
+    "type-check": "tsc --noEmit"
+  }
+}